peterr
Posts: 5971
|
| Posted: 01/19/2009, 3:39 PM |
|
Hello,
This is just an official confirmation of the PHP/SQL injection bug discovered here on the forums. We are testing the updated CCS installation and expect an update tomorrow/Tuesday.
Thanks to everyone who participated in researching and resolving this issue, especially Rick (mentecky) for posting the solution at http://www.ccselite.com/forums_topics_view.php?forum_id=2&forum_topic_id=41
Obviously an immediate action is needed on everyone's end to prevent related exploits.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
 |
 |
joseph2k
Posts: 72
|
| Posted: 01/19/2009, 9:43 PM |
|
I would like to see a group of us attempt to find more of these problems as it creates a huge issues for customers.
Anybody up to it?
|
|
|
|
mentecky
Posts: 321
|
| Posted: 01/20/2009, 6:10 AM |
|
Peter,
Thanks for looking into this and verifying it so quickly. I look forward to your update because, as you can tell from my past posts, I hate editing CCS generated code and only do so when absolutely necessary.
Also, thanks for the credit! It was however a team effort. I threw the quick patch together but was only able to do so based on THX1138's excellent description of what happened. John (jjrjr1) and markie double checked it, installed it and gave me feedback. John went through several iterations of the install and test process.
joseph2k, I think the community does this pretty well now. We all pretty freely post tips and solutions and Peter is good about reading the boards and I'm sure he passes suggestions on to development.
Thanks again Peter
Rick
_________________
http://www.ccselite.com |
|
|
|
joseph2k
Posts: 72
|
| Posted: 01/20/2009, 9:28 AM |
|
Yes.. we all post tips freely but this would be a concerted effort to break the security, it is not by causal uncovering. Actually I posted a query on this very topic over 2 years ago, no significant response...
So I started my self and any site built I restricted certain characters and strings globally.
|
|
|
|
jjrjr1
Posts: 942
|
| Posted: 01/20/2009, 10:06 AM |
|
Hi
Looking for other security holes is probably not a bad idea. (As long as this board is not the test bed.. lol). And I think Rick agrees and is confident that when they are found they get shared at any of the CCS communities..
Rick also pointed out that Peter (YesSoftware) is responsive to these issues as evidenced by how Yes handled this situation and validated a workable solution that effectievly solved the problem and was made available immediately. My hat is off to Peter and Yessoftware for the attention given to this situation.
Well I for one am glad Rick took the time to craft a solution to this problem for all of us so quickly and posted it for us to use and mitigate a very serious potential problem. Not only did it solve the issue, but it did not restrict any content being added to database tables.
Thanks again to all who helped over the weekend.
As Always... Have fun!!!
_________________
John Real - More CodeCharge Studio Support at - http://CCSElite.com |
|
|
|
peterr
Posts: 5971
|
| Posted: 01/20/2009, 1:58 PM |
|
Thanks, I indeed didn't track all previously provided solutions, but appreciate THX1138's and everyone's involvement.
Well, we just found that similar problem can affect the ASP.NET code, and we are doing more extensive review of similar scenarios and run tests on the patch itself because couple other technical issues were fixed in the last weeks. Therefore the patch will be delayed till tomorrow/Wednesday.
I also want to point out that the story could be different if someone experienced such problem on their end, so in a way it's a good thing that it happened here first, with our forum backup in place and your quick solution that can be applied in the same way by everyone else 
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
peterr
Posts: 5971
|
| Posted: 01/21/2009, 4:08 PM |
|
The patch is now available:
http://support.yessoftware.com/updates.asp
------------------------
CodeCharge Studio 4.1 Updated to version 4.1.00.032
An important SQL injection bug affecting PHP and ASP.NET applications was resolved per forum discussion at http://forums.yessoftware.com/posts.php?post_id=103233.
CodeCharge Studio was updated to version 4.1.00.032 and can be obtained from the main product download page ( http://www.yessoftware.com/download/download_form.php?product_id=1 ) or directly from http://download2.yessoftware.com/CCStudio4_1.exe .
We recommend that everyone updates their Web applications ASAP by re-publishing all files (F9).
------------------------
However, I forgot to check how specifically this issue was resolved, and if any additional bug fixes were included. I'll post back here again shortly.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
datadoit
|
| Posted: 01/21/2009, 5:27 PM |
|
Let's pretend for a second that not everyone in the world is running the
latest and greatest version. Will patches be made available for them?
Specifically version 3.2.0.4 that's only about a year or so old?
|
|
|
|
jjrjr1
Posts: 942
|
| Posted: 01/21/2009, 6:08 PM |
|
Data
Rick's patch is good all the way back to 3.0 the best we can tell. Don't have any earlier versions of Common.php.
In fact CCSElite.com is CCS ver 3.2 and was originally developed and tested there.
Installing this patch to Common.php should not prevent CCS from being configurable since the affected routine is not modified by and project settings.
As for ASP .NET, that will be up to Y.
_________________
John Real - More CodeCharge Studio Support at - http://CCSElite.com |
|
|
|
Gena
Posts: 591
|
| Posted: 01/21/2009, 10:44 PM |
|
Thanks; Peter. And how about ver. 3.1.0.1? Will patch be available too?
_________________
Gena |
|
|
|
Zye
Posts: 56
|
| Posted: 01/22/2009, 8:24 AM |
|
Thanks Yes for the captcha feature in my (CCS4.1.00.032) forms tools. Haven't had time to test it yet ... if it works at all.
I can't see where you have patched the common file for the bug, so your patch must be in some other file. Anyways! I am grateful for the update.
Cheers
Thanks to Rick, John and peeps for sussing it out.
|
|
|
|
peterr
Posts: 5971
|
| Posted: 01/22/2009, 2:12 PM |
|
Here are the details of how the problem was resolved in PHP:
The pages no longer call "CCBuildSQL" during updates, only during insert. The following database update code within each page was replaced:
$this->SQL = CCBuildSQL($this->SQL, $this->Where, "");
New code:
$this->SQL .= strlen($this->Where) ? " WHERE " . $this->Where : $this->Where;
Re: older CCS versions:
a) Version 3.2 will be updated as well. However, version 3.1 is too old and doesn't work on most computers due to Microsoft Windows Updates and IE7, therefore it was already patched to version 3.2 to resolve those issues.
b) Indeed the fix for Common.php discussed here on the forums is a good way to patch older CCS applications even without CodeCharge Studio.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
maxhugen
Posts: 272
|
| Posted: 01/22/2009, 2:31 PM |
|
Congrats and Well Done to all involved!
I didn't understand how severe SQL Injection could be, till now.
Makes me glad I take data backups seriously though. 
Thanks!
_________________
Max
www.gardenloco.com | www.eipdna.com | www.chrisarminson.com |
|
|
|
datadoit
|
| Posted: 01/22/2009, 3:28 PM |
|
Peter R = Da man
|
|
|
|
